Large corporations utilize computer-based applications to support critical functions in virtually every area of operation. For example, companies may employ separate applications for electronic mail, document control, financial applications, inventory management, manufacturing control and engineering functions, as well as overall management of network access. Each application often requires a separate log-on procedure, including provision of some form of known personal identification such as a user ID, a password or a key sequence, or the validation of some inherent (e.g., biometric) trait or characteristic of the user. The large and increasing number of applications requiring user authentication burdens both the users and systems administrators with creating, remembering, and securing these various forms of authentication data. From a management perspective, the proliferation of computer applications with varying security and sign-on procedures adds significant cost to the ongoing maintenance of a secure information-technology infrastructure. Complicating these challenges is the increasing need for users to access secure (i.e., behind a firewall) computing resources from remote and often unsecure locations, such as a home computer, public wireless networks and mobile devices.
Allowing unauthenticated users to connect to a corporate backbone from an unknown remote computer is fraught with security risks. For example, legitimate log-on credentials can be “sniffed” from the network (whether it is wired or wireless), or captured using malware (such as a keyboard logger) or even by surreptitious surveillance (“shoulder surfing”). To combat these challenges, security-minded organizations have implemented tokens that generate one-time passwords (OTP) or perform cryptographic functions. OTPs (also known as dynamic passwords) are popular because they can be used with any log-on procedure that accepts a password, and they ensure security of the account due to the limited lifespan of the password.
Typically, OTPs are generated by a dedicated device (such as the Go-Token from Vasco) or a software program running on a personal digital assistant (PDA), or in some cases the OTP is transmitted over a cell phone using Short Message Service (SMS). While this usage model may suit the casual user, it can be frustrating for users who must frequently transcribe the six or more OTP characters from a display to an input field. This problem is exacerbated in a wireless environment that may require periodic reauthentication based on time limits, roaming, or both. Furthermore, because wireless communications are easier to “sniff,” it is common to require one OTP to connect the client to a wireless access point (WAP), and a second OTP to initiate a virtual private network (VPN) tunnel. Frequently users may be required to wait a predetermined amount of time before using the next OTP code, resulting in an even longer delay before being able to reconnect to the network.
Client-resident single-sign-on (SSO) agents can automate the delivery of static passwords into specific log-on screens once a user is authenticated to a system. The client agent has access to a credential store that contains a cache of static passwords that are either manually entered by the user, or learned by capturing the log-on credentials during an authentication process. However, SSO systems generally rely on static passwords that remain the same for each application and are synchronized with the log-on credentials for that application. As such, current client-side SSO systems do not work in conjunction with single-use passwords because users must complete a password update cycle with each access request in order to update the password retained by the SSO system.
What is needed, therefore, are systems and techniques that can combine the security of OTP-based authentication and the convenience of SSO applications.